Spambots & Prevention

As you may know from reading other blog posts or pages on this site I’m a web developer. This is my job and I also do some at home.

Whitley WarriorsYou may also know that I used to play ice hockey for the Whitley Warriors until I was forced to retire after suffering a DVT.

When playing for the Warriors and studying HND computing at college I created a website dedicated to the Whitley Warriors ice hockey team. Eventually this site became the Official Whitley Warriors website.

The site is powered by a custom CMS (Content Management System) written by myself using PHP and MySQL and makes use of the ZEND Framework.

SpambotsRecently we’ve been getting a lot of spambots registering on the site forums (powered by SMF), making a mess and forcing me to spend hours removing post and spam users (I’ve removed about 2500 users up to date).

We are running CAPTCHA images but the spambots have managed to bypass this allowing them to sign up.

So I’ve recently added a few fields to the sign up form and database to help track new users and try to prevent the registration of spambots. Without the correct answers the registration will fail.

So what have I tried?

I’ve added a couple of dropdowns: Are you human? Are you a spambot?

Pick the wrong answer here and the registration attempt will be rejected.

I’ve attempted to catch spambots out here – if they change both answers they’ll fail, if they leave both answers on the default value they’ll also fail. They must choose the right question to change the answer in order to be successful.

Spambots also like to try to answer every question in the form – so I’ve added a box which must be left blank in order for the registration process to be successful.

The final measure in this attempt to prevent the registration of spambots is to ensure that the form has been posted from the correct page on my site. A lot of spambots submit their own form from a remote site, so, by checking the referrer we can see if the user has registered from the correct site and reject any remote registrations.

These measure seems to be working so far, but, if any of you can think of any other measures, whether it be actual code or just theories, which could be introduced or have any comments on the steps I’ve taken so far then please leave a comment.

3 thoughts on “Spambots & Prevention

  1. Mal

    Would a spam bot not try every combination until it works? Comps can do millions of processes, as you know, in seconds. Could you do an IP block after so many unsuccessful attempts and add a “if you are blocked out please email xxxxx for assistance?”

    Thanks,
    Malcolm

  2. Stephen Hoult Post author

    Good point – It seems that most spambots are written to target a certain piece of software. In this case the software is SMF (Simple Machines Forums).

    The measures I’ve introduced use a customised registration form.

    The answers given to the custom questions in the form are used to validate the registration.

    If the wrong (or no) answer is given the registration will fail validation.

    Because the spambots will be submitting their own version of the registration form they will not be answering the custom validation questions.

    Ultimately this means that the spambot registration is rejected.

Leave a Reply

Your email address will not be published. Required fields are marked *